pa-fazil
/
android_packages_modules_Virtualization
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Extend libdm_rust to build dm-crypt device 

Add crypt module which supports building DmCryptTarget based dm table
entry. Also expose this via create_crypt_device()

Also, add unit test that use loopdevice as the backing device.

Test: atest libdm_rust.test
Bug: 250880499
Change-Id: Ibf09ca267cbcc7a2dc00dd835f2d8b781040f130
This commit is contained in:
Shikha Panwar 2022-10-13 20:34:45 +00:00
parent 743454c58e
commit 27cb7e7f6a
5 changed files with 316 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
libs/devicemapper/Android.bp
View File

@ -36,5 +36,5 @@ rust_test {
"libscopeguard",
"libtempfile",
],
data: ["tests/data/*"],
data: ["testdata/*"],
}

153
libs/devicemapper/src/crypt.rs Normal file
View File

@ -0,0 +1,153 @@
/*
* Copyright (C) 2022 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/// `crypt` module implements the "crypt" target in the device mapper framework. Specifically,
/// it provides `DmCryptTargetBuilder` struct which is used to construct a `DmCryptTarget` struct
/// which is then given to `DeviceMapper` to create a mapper device.
use crate::util::*;
use crate::DmTargetSpec;
use anyhow::{bail, Context, Result};
use data_model::DataInit;
use std::io::Write;
use std::mem::size_of;
use std::path::Path;
const SECTOR_SIZE: u64 = 512;
// The UAPI for the crypt target is at:
// Documentation/admin-guide/device-mapper/dm-crypt.rst
/// Supported ciphers
pub enum CipherType {
// TODO(b/253394457) Include ciphers with authenticated modes as well
AES256XTS,
}
pub struct DmCryptTarget(Box<[u8]>);
impl DmCryptTarget {
/// Flatten into slice
pub fn as_slice(&self) -> &[u8] {
self.0.as_ref()
}
}
pub struct DmCryptTargetBuilder<'a> {
cipher: CipherType,
key: Option<&'a [u8]>,
iv_offset: u64,
device_path: Option<&'a Path>,
offset: u64,
device_size: u64,
// TODO(b/238179332) Extend this to include opt_params, in particular 'integrity'
}
impl<'a> Default for DmCryptTargetBuilder<'a> {
fn default() -> Self {
DmCryptTargetBuilder {
cipher: CipherType::AES256XTS,
key: None,
iv_offset: 0,
device_path: None,
offset: 0,
device_size: 0,
}
}
}
impl<'a> DmCryptTargetBuilder<'a> {
/// Sets the device that will be used as the data device (i.e. providing actual data).
pub fn data_device(&mut self, p: &'a Path, size: u64) -> &mut Self {
self.device_path = Some(p);
self.device_size = size;
self
}
/// Sets the encryption cipher.
pub fn cipher(&mut self, cipher: CipherType) -> &mut Self {
self.cipher = cipher;
self
}
/// Sets the key used for encryption. Input is byte array.
pub fn key(&mut self, key: &'a [u8]) -> &mut Self {
self.key = Some(key);
self
}
/// The IV offset is a sector count that is added to the sector number before creating the IV.
pub fn iv_offset(&mut self, iv_offset: u64) -> &mut Self {
self.iv_offset = iv_offset;
self
}
/// Starting sector within the device where the encrypted data begins
pub fn offset(&mut self, offset: u64) -> &mut Self {
self.offset = offset;
self
}
/// Constructs a `DmCryptTarget`.
pub fn build(&self) -> Result<DmCryptTarget> {
// The `DmCryptTarget` struct actually is a flattened data consisting of a header and
// body. The format of the header is `dm_target_spec` as defined in
// include/uapi/linux/dm-ioctl.h.
let device_path = self
.device_path
.context("data device is not set")?
.to_str()
.context("data device path is not encoded in utf8")?;
let key =
if let Some(key) = self.key { hexstring_from(key) } else { bail!("key is not set") };
// Step2: serialize the information according to the spec, which is ...
// DmTargetSpec{...}
// <cipher> <key> <iv_offset> <device path> \
// <offset> [<#opt_params> <opt_params>]
let mut body = String::new();
use std::fmt::Write;
write!(&mut body, "{} ", get_kernel_crypto_name(&self.cipher))?;
write!(&mut body, "{} ", key)?;
write!(&mut body, "{} ", self.iv_offset)?;
write!(&mut body, "{} ", device_path)?;
write!(&mut body, "{} ", self.offset)?;
write!(&mut body, "\0")?; // null terminator
let size = size_of::<DmTargetSpec>() + body.len();
let aligned_size = (size + 7) & !7; // align to 8 byte boundaries
let padding = aligned_size - size;
let mut header = DmTargetSpec::new("crypt")?;
header.sector_start = 0;
header.length = self.device_size / SECTOR_SIZE; // number of 512-byte sectors
header.next = aligned_size as u32;
let mut buf = Vec::with_capacity(aligned_size);
buf.write_all(header.as_slice())?;
buf.write_all(body.as_bytes())?;
buf.write_all(vec![0; padding].as_slice())?;
Ok(DmCryptTarget(buf.into_boxed_slice()))
}
}
fn get_kernel_crypto_name(cipher: &CipherType) -> &str {
match cipher {
CipherType::AES256XTS => "aes-xts-plain64",
}
}

162
libs/devicemapper/src/lib.rs
View File

@ -38,6 +38,8 @@ use std::mem::size_of;
use std::os::unix::io::AsRawFd;
use std::path::{Path, PathBuf};
/// Exposes DmCryptTarget & related builder
pub mod crypt;
/// Expose util functions
pub mod util;
/// Exposes the DmVerityTarget & related builder
@ -46,9 +48,10 @@ pub mod verity;
pub mod loopdevice;
mod sys;
use crypt::DmCryptTarget;
use sys::*;
use util::*;
use verity::*;
use verity::DmVerityTarget;
nix::ioctl_readwrite!(_dm_dev_create, DM_IOCTL, Cmd::DM_DEV_CREATE, DmIoctl);
nix::ioctl_readwrite!(_dm_dev_suspend, DM_IOCTL, Cmd::DM_DEV_SUSPEND, DmIoctl);
@ -151,27 +154,55 @@ impl DeviceMapper {
Ok(DeviceMapper(f))
}
/// Creates a device mapper device and configure it according to the `target` specification.
/// Creates a (crypt) device and configure it according to the `target` specification.
/// The path to the generated device is "/dev/mapper/<name>".
pub fn create_crypt_device(&self, name: &str, target: &DmCryptTarget) -> Result<PathBuf> {
self.create_device(name, target.as_slice(), uuid("crypto".as_bytes())?, true)
}
/// Creates a (verity) device and configure it according to the `target` specification.
/// The path to the generated device is "/dev/mapper/<name>".
pub fn create_verity_device(&self, name: &str, target: &DmVerityTarget) -> Result<PathBuf> {
self.create_device(name, target.as_slice(), uuid("apkver".as_bytes())?, false)
}
/// Removes a mapper device.
pub fn delete_device_deferred(&self, name: &str) -> Result<()> {
let mut data = DmIoctl::new(name)?;
data.flags |= Flag::DM_DEFERRED_REMOVE;
dm_dev_remove(self, &mut data)
.context(format!("failed to remove device with name {}", &name))?;
Ok(())
}
fn create_device(
&self,
name: &str,
target: &[u8],
uid: String,
writable: bool,
) -> Result<PathBuf> {
// Step 1: create an empty device
let mut data = DmIoctl::new(name)?;
data.set_uuid(&uuid("apkver".as_bytes())?)?;
data.set_uuid(&uid)?;
dm_dev_create(self, &mut data)
.context(format!("failed to create an empty device with name {}", &name))?;
// Step 2: load table onto the device
let payload_size = size_of::<DmIoctl>() + target.as_slice().len();
let payload_size = size_of::<DmIoctl>() + target.len();
let mut data = DmIoctl::new(name)?;
data.data_size = payload_size as u32;
data.data_start = size_of::<DmIoctl>() as u32;
data.target_count = 1;
data.flags |= Flag::DM_READONLY_FLAG;
if !writable {
data.flags |= Flag::DM_READONLY_FLAG;
}
let mut payload = Vec::with_capacity(payload_size);
payload.extend_from_slice(data.as_slice());
payload.extend_from_slice(target.as_slice());
payload.extend_from_slice(target);
dm_table_load(self, payload.as_mut_ptr() as *mut DmIoctl)
.context("failed to load table")?;
@ -185,15 +216,6 @@ impl DeviceMapper {
wait_for_path(&path)?;
Ok(path)
}
/// Removes a mapper device
pub fn delete_device_deferred(&self, name: &str) -> Result<()> {
let mut data = DmIoctl::new(name)?;
data.flags |= Flag::DM_DEFERRED_REMOVE;
dm_dev_remove(self, &mut data)
.context(format!("failed to remove device with name {}", &name))?;
Ok(())
}
}
/// Used to derive a UUID that uniquely identifies a device mapper device when creating it.
@ -208,3 +230,113 @@ fn uuid(node_id: &[u8]) -> Result<String> {
let uuid = Uuid::new_v1(ts, node_id)?;
Ok(String::from(uuid.to_hyphenated().encode_lower(&mut Uuid::encode_buffer())))
}
#[cfg(test)]
mod tests {
use super::*;
use crypt::DmCryptTargetBuilder;
use std::fs::{read, File, OpenOptions};
use std::io::Write;
const KEY: &[u8; 32] = b"thirtytwobyteslongreallylongword";
const DIFFERENT_KEY: &[u8; 32] = b"drowgnolyllaergnolsetybowtytriht";
// Create a file in given temp directory with given size
fn prepare_tmpfile(test_dir: &Path, filename: &str, sz: u64) -> PathBuf {
let filepath = test_dir.join(filename);
let f = File::create(&filepath).unwrap();
f.set_len(sz).unwrap();
filepath
}
fn write_to_dev(path: &Path, data: &[u8]) {
let mut f = OpenOptions::new().read(true).write(true).open(&path).unwrap();
f.write_all(data).unwrap();
}
fn delete_device(dm: &DeviceMapper, name: &str) -> Result<()> {
dm.delete_device_deferred(name)?;
wait_for_path_disappears(Path::new(MAPPER_DEV_ROOT).join(&name))?;
Ok(())
}
#[test]
fn mapping_again_keeps_data() {
// This test creates 2 different crypt devices using same key backed by same data_device
// -> Write data on dev1 -> Check the data is visible & same on dev2
let dm = DeviceMapper::new().unwrap();
let inputimg = include_bytes!("../testdata/rand8k");
let sz = inputimg.len() as u64;
let test_dir = tempfile::TempDir::new().unwrap();
let backing_file = prepare_tmpfile(test_dir.path(), "storage", sz);
let data_device = loopdevice::attach(
backing_file,
0,
sz,
/*direct_io*/ true,
/*writable*/ true,
)
.unwrap();
scopeguard::defer! {
loopdevice::detach(&data_device).unwrap();
_ = delete_device(&dm, "crypt1");
_ = delete_device(&dm, "crypt2");
}
let target =
DmCryptTargetBuilder::default().data_device(&data_device, sz).key(KEY).build().unwrap();
let mut crypt_device = dm.create_crypt_device("crypt1", &target).unwrap();
write_to_dev(&crypt_device, inputimg);
// Recreate another device using same target spec & check if the content is the same
crypt_device = dm.create_crypt_device("crypt2", &target).unwrap();
let crypt = read(crypt_device).unwrap();
assert_eq!(inputimg.len(), crypt.len()); // fail early if the size doesn't match
assert_eq!(inputimg, crypt.as_slice());
}
#[test]
fn data_inaccessible_with_diff_key() {
// This test creates 2 different crypt devices using different keys backed
// by same data_device -> Write data on dev1 -> Check the data is visible but not the same on dev2
let dm = DeviceMapper::new().unwrap();
let inputimg = include_bytes!("../testdata/rand8k");
let sz = inputimg.len() as u64;
let test_dir = tempfile::TempDir::new().unwrap();
let backing_file = prepare_tmpfile(test_dir.path(), "storage", sz);
let data_device = loopdevice::attach(
backing_file,
0,
sz,
/*direct_io*/ true,
/*writable*/ true,
)
.unwrap();
scopeguard::defer! {
loopdevice::detach(&data_device).unwrap();
_ = delete_device(&dm, "crypt3");
_ = delete_device(&dm, "crypt4");
}
let target =
DmCryptTargetBuilder::default().data_device(&data_device, sz).key(KEY).build().unwrap();
let target2 = DmCryptTargetBuilder::default()
.data_device(&data_device, sz)
.key(DIFFERENT_KEY)
.build()
.unwrap();
let mut crypt_device = dm.create_crypt_device("crypt3", &target).unwrap();
write_to_dev(&crypt_device, inputimg);
// Recreate the crypt device again diff key & check if the content is changed
crypt_device = dm.create_crypt_device("crypt4", &target2).unwrap();
let crypt = read(crypt_device).unwrap();
assert_ne!(inputimg, crypt.as_slice());
}
}

15
libs/devicemapper/src/util.rs
View File

@ -37,6 +37,21 @@ pub fn wait_for_path<P: AsRef<Path>>(path: P) -> Result<()> {
Ok(())
}
/// Wait for the path to disappear
#[cfg(test)]
pub fn wait_for_path_disappears<P: AsRef<Path>>(path: P) -> Result<()> {
const TIMEOUT: Duration = Duration::from_secs(1);
const INTERVAL: Duration = Duration::from_millis(10);
let begin = Instant::now();
while !path.as_ref().exists() {
if begin.elapsed() > TIMEOUT {
bail!("{:?} not disappearing. TIMEOUT.", path.as_ref());
}
thread::sleep(INTERVAL);
}
Ok(())
}
/// Returns hexadecimal reprentation of a given byte array.
pub fn hexstring_from(s: &[u8]) -> String {
s.iter().map(|byte| format!("{:02x}", byte)).reduce(|i, j| i + &j).unwrap_or_default()

BIN
libs/devicemapper/testdata/rand8k vendored Normal file
View File

Binary file not shown.